[wp-hackers] WP security breach-- may be my fault, may not be
Eric A. Meyer
eric at meyerweb.com
Wed May 10 03:30:23 GMT 2006
At 5:42 AM +0100 5/9/06, Roy Schestowitz wrote:
>I hope you have added 188.8.131.52 to yours IP deny list. I know I have.
Not yet. I actually want them to try again, so I can see if it's
a password crack or something else. (I've changed the password.)
I'm willing to undertake the effort of cleaning up after another
successful attack if allowing it helps figure out exactly what
happened. So far, no posts have been modified since I cleaned up
after the last two attacks and changed my admin password.
Although if they cracked the admin password, I'd like to know how.
I haven't seen any apparent attempts to brute-force it, and I'm not
sure how it could have been swiped-- and why would someone bother in
the first place? The effort needed to crack a password on a single
blog just doesn't seem worth the payoff.
So here's what I have found, little though it may tell anyone:
That shows All of the instances where there were attempts to access
the WP admin area and the client was redirected to the login page. I
highlighted the two known breakins, but there's a third that wasn't a
breakin but interested me. I highlighted it too-- what drew my
attention was the "Show+Month" bit. So I searched for all instances
of that IP address and came up with:
So if that was a breakin attempt, it failed. I just find it
interesting that there's been more than one attempt to get in that
way. It might be the same person from multiple machines, of course.
I searched my access logs again for all "Show+Month" entries, but
they were all either the original breakins, this now one I show
above, or my own machines.
>There *may* be some backdoor in the handling of
>edit.php?m=MONTH&submit=Show+Month perhaps? I don't know what these
>arguments are intended to achieve. Maybe bad handling of exceptions?
I dunno. That's why I brought it up here, just in case there was
a previously unknown vulnerability.
>This can't do much harm /assuming/ you have not modified much of your code
>(I know Eric Meyer has "hacked WordPress like it was attacking his family").
Actually, not any more. I'm running 1.5 and all the 'hacking' is
now in theme files, or else via plugins I wrote for myself. The core
itself is largely or completely undisturbed. I did a test upgrade to
2.0 on my local server and there weren't any hiccups in terms of the
install running, so I suspect "completely", but it's been a long time
since I upgraded to 1.5 and so I might have forgotten a tweak or two.
>Time-wise, it might be worth going over the changelog for 1.5.3 and, based
>on the log, see if it fixes the problem at hand. It could return to attack
>via proxies and become detrimental. The only real solution is patching.
Unless of course whatever they're doing isn't solved by the latest
version. I'm assuming that all this isn't an obvious example of a
widely known problem with the 1.5x series, though.
Eric A. Meyer (eric at meyerweb.com)
Principal, Complex Spiral Consulting http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more http://meyerweb.com/eric/books/
More information about the wp-hackers